January 10, 2012

Adobe and Microsoft today each issued software fixes to tackle dangerous security flaws in their  products. If you use Acrobat, Adobe Reader or Windows, it’s time to patch.

Microsoft released seven security bulletins addressing at least eight vulnerabilities in Windows. The lone “critical” Microsoft patch addresses a pair of bugs in Windows Media Player. Microsoft warns that attackers could exploit these flaws to break into Windows systems without any help from users; the vulnerability could be triggered just by browsing to a site that hosts specially crafted video content.

The other Windows patches earned a less severe “important” rating from Microsoft, although not everyone agrees with that assessment. Symantec’s Joshua Talbot said another bug fixed today — a glitch in the way Windows handles Microsoft Office files — is potentially more dangerous because it appears to be easier to exploit than the Media Player flaw.

“The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file,” Talbot said. “Email attachments will probably be the most common attack method in which this vulnerability is exploited. As usual, we strongly recommend users only open email attachments from people they know.”

More information on the other patches Microsoft released today is available here.

I want to call attention to a security issue that Microsoft addressed over the holiday break that I neglected to write about earlier, but which deserves equal attention and patching. On Dec. 29, Microsoft issued an out-of-band update to address a flaw in ASP.Net that could allow an attacker to force a user to visit a malicious web site. The vulnerability affects all versions of the .NET Framework on Windows XP and later versions of Windows. If you use Windows and see a .NET Framework patch awaiting your approval in Windows Update this month, don’t neglect it.

In a separate release, Adobe pushed out security updates for Adobe Reader and Acrobat. At the forefront of the Adobe patch batch is a fix for a zero-day flaw in Acrobat and Reader that Adobe first warned about in early December. Shortly after that warning, Adobe issued a fix for the flaw in Reader 9.x and Acrobat 9.x, but said it would wait until today (its scheduled, quarterly update) to address it in the new Reader X and Acrobat X versions of the software. Adobe recommends that users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). Updates are available for Windows and Mac versions of these titles; see the Adobe advisory for the patch download links.

As ever, if you experience any problems as a result of installing these updates, please drop a note in the comments below.


12 thoughts on “Adobe, Microsoft Issue Critical Security Fixes

  1. Nun

    FYI, One of those Dec. 29th updates does not always install correctly. Lots of users are having trouble with it. I have no idea why MS is not addressing this. I guess someone was in a hurry to start their holiday weekend.

  2. Tom

    When you say ‘out-of-band’ to describe Microsoft’s ASP.NET patch do you mean to say ‘out-of-cycle’?

    My understanding is that ‘out-of-band’ refers to patches delivered through a non-standard channel. For example, if MS decided for some reason to release a patch only through its website, instead of through its usual auto-update system.

    In contrast, ‘out-of-cycle’ refers to patches delivered outside a standard release schedule. So, for MS, that would be a patch not delivered on the second Tuesday of the month.

    Or have I misunderstood something?

      1. Tom

        Sorry if it seems pedantic. I don’t mean to nitpick.

        Actually I wasn’t completely sure what he meant. After I went to the MS website I figured out that it was out-of-cycle rather than out-of-band (according to my understanding of the terms anyway) but it wasn’t obvious from the article itself.

        I think the two terms are distinct and useful, so it seems worthwhile to preserve them.

      1. Tom

        Interesting. Perhaps ‘out-of-band’ has already been eroded past the point of being useful.

        If ‘out-of-band’ has become ambiguous then its use should be avoided. Perhaps ‘out-of-channel’ might be a good alternative.

        ‘Out-of-cycle’ seems quite unambiguous. I would advocate using that as the preferred term for a patch outside the usual release timetable.

        Unless there are things I have missed?

        1. Curmudgeon

          Good luck getting Microsoft to agree to change their terminology. Say hello to Sancho Panza for me.

  3. Ralphie;

    Perhaps “Out of Order” would do. Seems to apply to some comments, as well.

  4. Stratocaster

    Any notion of why the past few months Adobe has made it so damned hard to find standalone installers for their “everywhere” products — e.g., Flash Player, Reader? Their new default seems to be some sort of Web installer app which is blocked by many corporate firewalls (including ours). It would be nice to just dump it once to a USB drive and then install it on all the PCs one has at hand rather than having each one download and then install it from the Web.

    And BTW, what’s with having to restart after updating Adobe Reader? Even with Vista and Win7.

  5. Susan

    @NUN – .net updates are notorious for having install issues. I haven’t met a .net update that I haven’t winced and said a few hail Bill’s hoping that they would install okay for everyone.

    On XP I honestly do not see the risk of not updating. Those updates are for web servers, not desktops.

    Microsoft always calls them “out of band” ..it’s there lingo. Journalists and wordsmiths want to call them “out of cycle”. A MS guy explained to me why they call it “out of band” but I forget exactly why now. I think it’s a software naming thing. I’ll ask around and post back.

    1. Tom

      “I think it’s a software naming thing. I’ll ask around and post back.”

      Thanks Susan. I would be interested to know.

      I was thinking about this. Maybe it would be better to just use the word ‘unscheduled’. We have a perfectly good word in the language already, so why invent extra jargon?

  6. Susan

    http://en.wikipedia.org/wiki/Out_of_band
    Found out why. It’s a telecommunications lingo. Communication ‘outside of the normal band used for communication’.

    They normally communicate security patch info on the second tuesday. Any communication outside this normal channel is “out of band”

Comments are closed.